New Zealand Privacy Commissioner Finds Health NZ & Manage My Health Breached Privacy Rules After Cyber Incident

Key Takeaways

• Privacy Commissioner Found Dual Failures: Health New Zealand and Manage My Health were both found to have breached Rule 5 of New Zealand’s Health Information Privacy Code after failing to maintain reasonable safeguards around sensitive patient information.
• Northland Patients Bore the Brunt: Around 91 percent of affected individuals were Northland patients, many likely Māori, due to a unique hospital discharge information-sharing arrangement that existed only in that region.
• The Breach Was a Governance Failure as Much as a Technical One: The inquiry identified poor risk assessments, overreliance on vendor assurances, weak contractual controls, and the absence of specialist privacy and security personnel in the project design process.
• Detection Failures Allowed the Breach to Escalate: Manage My Health lacked systems capable of identifying unusually large-scale data access activity before substantial amounts of patient information had already been stolen.

Deep Dive

New Zealand’s Privacy Commissioner released Phase 1 findings from an inquiry into the incident, concluding that both Health New Zealand and Manage My Health breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards were in place to protect patient information.

The breach exposed highly sensitive health information that was later accessed, stolen, and put up for sale. According to the inquiry, around 91 percent of affected patients were based in Northland, with many likely to be Māori.

The concentration of affected patients was tied to what the report described as a unique arrangement between Health NZ and Manage My Health in Northland that allowed hospital discharge information to be shared through the patient portal. That arrangement did not exist elsewhere in New Zealand hospitals. Unfortunately, the area containing discharge information became the part of the portal compromised during the attack.

Privacy Commissioner Michael Webster said the incident exposed several weaknesses in how patient information was managed.

“Digital innovation can unlock greater efficiencies and effectiveness in service delivery,” Webster said. “However, my inquiry has found that there were several problems with how patient information was managed which contributed directly to the breach.”

The inquiry found the breach was not caused by a single security failure. Instead, investigators identified multiple weaknesses across both technology controls and governance practices. Manage My Health was found to have “several key gaps in security” that enabled the attack, while also lacking adequate monitoring systems capable of identifying unusually large data access activity before substantial information was stolen.

The report also raised concerns about the company’s overall approach to security architecture, governance, and risk management practices.

At the same time, the inquiry concluded Health NZ failed to apply sufficient scrutiny before enabling the sharing of Northland hospital information through the portal.

Investigators found the project team responsible for the initiative did not include specialist privacy or security personnel despite the scale and novelty of the arrangement. The inquiry also cited an over-reliance on assurances from Manage My Health rather than conducting independent validation of the platform’s security controls.

Internal privacy risk assessments were described as poor quality, leaving decision makers insufficiently informed about what safeguards were necessary to securely share hospital information through the portal. The inquiry further found the contract between Health NZ and Manage My Health was too generic and failed to adequately reflect the risks and operational realities associated with the information-sharing arrangement.

The inquiry repeatedly stresses that privacy and security cannot function as compliance checkboxes attached late in the process. The report specifically warns against over-reliance on vendor representations about security posture and emphasizes the importance of independent assessment and continuous oversight.

The Privacy Commissioner also recommended broader structural reforms for the healthcare sector. Among them was a recommendation that New Zealand’s Ministry of Health establish a centralized process for verifying and assuring that patient health portals meet sector security standards, rather than leaving individual GP practices or organizations to conduct their own assessments independently.

The inquiry additionally recommended changes to the Privacy Act that would allow third-party providers handling personal information on behalf of other organizations to face direct liability where reasonable security safeguards are not maintained.

Compliance notices are now expected to be issued to both Health NZ and Manage My Health. Webster described the notices as “the strongest tool” currently available to respond to serious privacy breaches and said they would allow regulators to independently verify whether corrective measures are operating effectively.

The inquiry’s second phase is expected to begin soon and will shift focus toward the real-world consequences of the breach. That phase will examine issues including patient authorization practices, breach communications, retention and deletion of information, compliance with notification requirements under the Privacy Act, and whether Māori communities in Northland experienced disproportionate harm.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.